Home > Apache, Linux > Patching Apache’s Suexec Module Improved

Patching Apache’s Suexec Module Improved

January 5th, 2008 Leave a comment Go to comments

This tutorial improves on my last tutorial Patching Apache’s Suexec Module by adding in alternate docroots and a trusted uid/gid to check when the uid/gid mismatch. This is an added security measure over just ignoring the uid/gid check or using / as the docroot. If you haven’t read my previous tutorial the following quote should bring you up to speed.

Apache’s suexec module is useful for running CGI and SSI scripts as a defined user. However all scripts must be located under the compiled in docroot and the uid/gid of the user running the script must match the script’s uid/gid.

This can be a problem if you have a shared CGI app like awstats as unless you make each user a copy the uid/gid will not match. Not to mention that the docroot on Fedora is /var/www so if you want to store your virtual hosts elsewhere your out of luck. Not to worry recompiling apache isn’t as hard as you might think.

Since we are modifying suexec there is always the potential that the modifications may cause a security hole. Proceed at your own risk!!

The patch allow you to specify three docroots. The default /var/www, one for virtual hosts (in my case /home), and one for shared scripts (most are stored in /usr/share). It also allows for the specification of a trusted uid/gid. Basically if the uid/gid of the suexec user doesn’t match the uid/gid of the file it will check to see if it matches the trusted uid/gid. If it does the execution will continue, otherwise it will log an error. This is great for shared scripts like awstats.

First we need to grab the httpd SRPM from FC5 updates

cd ~
wget http://mirrors.kernel.org/fedora/core/updates/5/SRPMS/httpd-2.2.2-1.3.src.rpm

Next we setup the RPM build area


Install the SRPM into the rpmbuild directory

rpm -ivh httpd-2.2.2-1.3.src.rpm

Grab the suexec patch

cd rpmbuild/SOURCES
wget http://www.excaliburtech.net/wp-content/uploads/2008/01/httpd-222-suexec.patch

Configure the docroots and trusted UID/GID

cd ~/rpmbuild/SPECS
vim httpd.spec
Line 192:
 --with-suexec-docroot=%{contentdir} \
+ --with-suexec-docroot-virtual=/home \
+ --with-suexec-docroot-shared=/usr/share \
+ --with-suexec-trust-uid=500 --with-suexec-trust-gid=500 \

Modify the httpd.spec to include the patch

vim httpd.spec
Line 48:
 Patch73: httpd-2.2.3-CVE-2007-3304.patch
+ Patch80: httpd-2.2.2-suexec.patch
Line 131:
 %patch73 -p1 -b .cve3304
+ %patch80 -p1 -b .suexec

Now we can build the modified RPM

rpmbuild -ba httpd.spec

Instead of reinstalling apache I recommend just extracting and replacing the suexec file

cd ~/rpmbuild
rpm2cpio RPMS/`uname -p`/httpd-2.2.2-1.3.src.rpm | cpio -imVd ./usr/sbin/suexec
sudo cp -p /usr/sbin/suexec /usr/sbin/suexec.orig
sudo cp ./usr/sbin/suexec /usr/sbin/suexec
sudo chown root:apache /usr/sbin/suexec
sudo chmod 4510 /usr/sbin/suexec
Categories: Apache, Linux Tags:
  1. No comments yet.
  1. No trackbacks yet.